While it doesn't hurt to double check for hackers, maybe even triple check, I also having been
hacked a while back, also for an ebay phishing scheme. They used my solaris machine.
1. They "rootkit"'ed me. If you don't know what a rootkit is, you'd best learn now. You can pick
up rootkit detecting scripts and programs here and there. Use google. I'll guess that linux rootkits
are especially juicy!
2. They installed a backup test account, and had their own sshd daemon running.
3. They had a network password sniffer running.
4. They had an IRC chat server running.
5. They put in the files in the web doc space, imitating an ebay site, advertising a sweepstakes for a luxury car.
6. They sent out mass mailings pointing to my site (by IP).
7. Hundreds of folks responded. Somebody called me, and was horrified.
8. I moved the main sign-in file in the html dirs, and within a minute or two it was back.
9. I concluded that they were logged in and trying to keep the scam running as long as they could. I pulled the internet connection.
10. I began a thorough three-day postmortem. Almost everything they did kept logs. What fools!
11. I changed all passwords, and deleted the new accounts, and took all non-necc. daemons offline, and snapped a
firewalling router in front of the machine.
12. I found every file, everything, and renamed them. Found the startups and reboot scripts and cron additions.
13. I studied every log. From their own sniffer logs, I got account names and passwords for THEIR
warez sites, They even left behind the tar files for their root kit. I learned a lot about rootkits. Most of
the normal commands you use are replaced with their variant. It's the same size, and has the same dates
on the files. But their versions of ps won't show the sshd proc, or sniffers, or IRC running. Their ls won't report
any of the dirs or files for the rootkit. Etc. I won't go into detail about what I did to them...
I found that having a spare ps and ls in some obscure dir isn't a bad thing to have, for such rainy days.
Running tripwire is a pain, but would turn up every installed file quickly, based on checksums.
14. In all of this, I filed FBI reports, and kept ebay appraised. As far as I could tell, the FBI showed absolutely no response.
For all I know, the FBI web site is purely for stats. And the FTC doesn't respond to anything either. I guess this is small-time
stuff, and they are saturated. But, no-one could point a finger at me or my employer, and say we were complicit. I did
not destroy any evidence...
Apparently thousands (note the plural) of such scams are executed every month. It'd be hard for any law enforcement
organization to keep up.
---But, one (or two) errant emails aren't necc. an indication that you have been hacked! There are a lot of viral emails floating
around that take addresses from addressbooks, and use random selections for both the recipient and sender. Strange
things happen when viral emails bounce, especially when one of the parties runs out of disk space, and bounce messages
start flying. IT NEVER HURTS TO CHECK, tho!
murf
You've likely been hacked.
I have recently had a similar incident where a hacker guessed my root
password (MY BAD) and set up an ebay password skimming site.
I noticed it when I got similar non-deliverable email messages.
Obviously, first change your password and then look at the /var/www/html
directory and see if there are unwelcome pages there. Also be sure to check
who is logged in currently. I caught the (*%#@ SOB logged in and bounced
the bastard.
For what it's worth, the hacker's IP address was: 81.12.141.150.
Karl Putz
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Jean-Louis
>curty
>Sent: Thursday, February 10, 2005 9:10 AM
>To: Asterisk Users Mailing List - Non-Commercial Discussion
>Subject: [Asterisk-Users] [EMAIL PROTECTED] scary log
>
>
>Hi everybody,
>
>I'm testing [EMAIL PROTECTED] 0.4,
>looks great so far
>
>I was working when I have been alerted by a bip comming from the * pc...
>
>I connected a screen to it and saw that there was a message which
>looked like :
>
>
>Message from [EMAIL PROTECTED] at Thu Feb 10 09:01:00 2005 ...
>asterisk1
>
>
>
>so I stopped asterisk, type mail and got a strange mail saying that
>user [EMAIL PROTECTED] could not be reached and body was like if it was
>the result of commands ifconfig etc
>
>unfortunally I don't have the message anymore but I went to the log
>
>and saw this
>Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088: from=<[EMAIL PROTECTED]>, size=329, class=0, nrcpts=1,
>msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=asterisk1.local [127.0.0.1]
>Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071: [EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00,
>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]
>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for delivery)
>Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077: [EMAIL PROTECTED], ctladdr=root (0/0), delay=00:00:00,
>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]
>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for delivery)
>Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0),
>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,
>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK 1107998984)
>Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (0/0),
>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,
>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK 1107998984)
>
>
>the thing is i did not send any message to [EMAIL PROTECTED] nor to
>somebody at yahoo,
>
>
>anybody got the same ? what can I do ??
>
>thanks
>jl
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
